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Patent 

Attorney's Docket No. 032326-143 
IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

In re Patent Application of 

Jean-Louis VALADIER et al 

Application No.: Unassigned 

Filed: May 18, 2001 

For: METHOD FOR CONTROLLING 
THE USE OF A SMART CARD 



Group Art Unit: Unassigned 
Examiner: Unassigned 



PRELIMINARY AMENDMENT 

Assistant Commissioner for Patents 
Washington, D.C. 20231 

Sir: 

Prior to examination and the calculation of filing fees, kindly amend the above- 
identified application as follows: 



IN THE SPECIFICATION; 

Page 1, immediately following the title appearing on line 1, insert the following: 
—This disclosure is based upon, and claims priority from French Application No. 

98/14497, filed on November 18, 1998 and International Application No. 

PCT/FR99/02782, filed November 12, 1999, which was published on May 25, 2000 in a 

language other than English, the contents of which are incorporated herein by reference. 

Background of the Invention - 



Application No. Unassigned 
Attorney's Docket No. 032326-143 
Page 2 

Page 6, between lines 2 and 3, insert the following heading: 
- Summary of the Invention 

Page 6, delete lines 14 and 15. 

Page 8, between lines 16 and 17, insert the following heading: 
- Brief Description of the Drawings - . 

Page 9, between lines 3 and 4, insert the following heading: 
- Detailed D escription- 

Add the following Abstract: 

—A method for conducting transactions between a smart card and a terminal which 
includes an authentication session by the card. A control counter is decremented, or 
incremented, by one unit at the start of the transaction and subsequently re-incremented, or 
decremented, only if the authentication by the card is successful. When the counter reaches 
a threshold value, the use of the card is blocked, thereby preventing fraudulent use of the 
card in an attempt to discover the encryption keys contained in the card.— 
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IN THE CLAIMS: 

Kindly replace claims 1-12, as follows. 

1 . (Amended) A method of controlling the use of a smart card comprising a 
microprocessor that executes cryptography calculations in the card for effecting 
authentication sessions at the time of a transaction between the card and a terminal, and at 
least one control counter, comprising the steps of: 

- decrementing or incrementing the control counter by one unit at the start of a 
transaction comprising at least one authentication session by the card, and 

- if the authentication by the card has succeeded, subsequently incrementing or 
decrementing, respectively, said control counter by said unit. 

2. (Amended) A method according to Claim 1 wherein the control counter 
counts down from or counts up to a blocking value. 

3. (Amended) A method according to Claim 2, further including the step of 
using said control counter by at least one encrypting key contained in the card. 

4. (Amended) A method according to Claim 3, wherein the blocking value 
associated with a counter is a function of the type of transaction in which an associated key 
is used. 



Application No. Unassigned 
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5. (Amended) A method according to Claim 3, wherein the decrementation or 
incrementation unit of a control counter represents the number of cryptographic calculations 
with an associated key performed up till then and including the one consisting of said 
authentication session during said transaction. 

6. (Amended) A method according to Claim 3, wherein the control counter 
associated with a key is decremented or incremented by a new unit before each of the 
cryptographic calculations using said key up to and including the one relating to said 
authentication session by the card. 

7. (Amended) A method according to Claim 5, wherein the subsequent 
incrementing or decrementing of the counter by the unit representing the number of 
cryptographic calculations is effected if the authentication session by the card has 
succeeded. 

8. (Amended) A method according to Claim 6, further including the step of 
storing the number of decrementations or incrementations by one unit that have been 
carried out in a pointing counter, to control the subsequent incrementing or decrementing of 
the control counter via the content of the pointing counter, if the authentication session by 
the card has succeeded. 

9. (Amended) A method according to claim 1, wherein said authentication 
session by the card is effected at the time of a connection by direct link to a server. 
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10. (Amended) A method according to claim 3 wherein, when the control 
counter is decremented, or incremented, up to a limit value, it blocks the use of the 
associated key. 



1 1 . (Amended) A method according to Claim 10, wherein the blocking of the 
use of the key is irreversible. 

12. (Amended) A smart card comprising at least one control counter associated 
with at least one key and a microprocessor which executes the functions of decrementing or 
incrementing the control counter by one unit at the start of a transaction comprising at least 
one authentication session by the card, and subsequently incrementing or decrementing, 
respectively, said control counter by said unit if the authentication by the card has 
succeeded. 
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REMARKS 

Entry of the foregoing amendment is respectfully requested. This amendment is 
intended to place the claims in a more conventional format and eliminate the multiple 
dependency of the claims. 

Respectfully submitted, 



Burns, Doane, Swecker&Mathis, l.l.p. 




James A. LaBarre 
Registration No. 28,632 



P.O. Box 1404 

Alexandria, Virginia 22313-1404 
(703) 836-6620 



Date: May 18, 2001 
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Attachment to Preliminary Amendment dated May 18, 2001 
Marked-up Claims 1-12 

1 . (Amended) A method of controlling the use of a smart card comprising a 
microprocessor [able to effect] that executes cryptography calculations in the card for 
effecting authentication sessions at the time of a transaction between the card and a 
terminal, [characterised in that the said method uses] and at least one control counter, 
[(C KDP ) and in that, for a transaction comprising at least one authentication session by the 
card, the method consists] comprising the steps of: 

- decrementing or incrementing the control counter by one unit [(u)] at the start of 
[the transaction] a transaction comprising at least one authentication session by the card, 
and 

- if the authentication by the card has succeeded, [effecting the reincrementation or 
decrementation of the] subsequently incrementing or decrementing, respectively, said 
control counter by [the] said unit [(u)]. 

2. (Amended) A method according to Claim 1 [2, characterised in that] 
wherein the control counter [can count] counts down from or [count] counts up to a 
blocking value. 

3. (Amended) A method according to Claim 2, [characterised in that it 
comprises the use of a] further including the step of using said control counter by [an] at 
least one encrypting key [and/or by a pair of encrypting keys] contained in the card. 
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Attachment to Preliminary Amendment dated May 18, 2001 
Marked-up Claims 1-12 

4. (Amended) A method according to Claim 3, [characterised in that] wherein 
the blocking value associated with a counter is a function of the type of transaction in which 
[the] an associated key [or the associated pair of keys] is used. 

5. (Amended) A method according to Claim 3, [characterised in that] wherein 
the decrementation or incrementation unit of a control counter represents the number of 
cryptographic calculations with [the] an associated key [or the associated pair of keys,] 
performed up till then and including the one consisting of [the] said authentication session 
during [the] said transaction. 

6. (Amended) A method according to Claim 3, [characterised in that] wherein 
the control counter associated with a key [or a pair of keys] is decremented or incremented 
by a new unit before each of the cryptographic calculations using [the] said key [or the said 
pair of keys] up to and including the one relating to [the] said authentication session by the 
card. 

7. (Amended) A method according to Claim 5, [characterised in that the 
reincrementation or decrementation] wherein the subsequent incrementing or decrementing 
of the counter by the unit representing the number of cryptographic calculations is effected 
if the authentication session by the card has succeeded. 
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Attachment to Preliminary Amendment dated May 18, 2001 
Marked-up Claims 1-12 

8. (Amended) A method according to Claim 6, [characterised in that it 
comprises a pointing counter (D KDP ) for] further including the step of storing the number of 
decrementations or incrementations by one unit that have been carried out in a pointing 
counter, to [permit] control the [reincrementation or decrementation] subsequent 
incrementing or decrementing of the control counter [(C KDP )] via the content of the pointing 
counter, if the authentication session by the card has succeeded. 

9. (Amended) A [control] method according to [any one of the preceding 
claims, characterised in that the] claim 1, wherein said authentication session by the card is 
effected at the time of a connection by direct link to a server. 

10. (Amended) A method according to [any one of the preceding claims, 
characterised in that] claim 3 wherein, when the control counter is decremented, or 
incremented, up to a limit value, it blocks the use of the associated key [or associated pair 
of keys] . 

11. (Amended) A method according to Claim 10, [characterised in that] wherein 
the blocking of the use of the key [or pair of keys] is irreversible. 
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Attachment to Preliminary Amendment dated May 18, 2001 
Marked-up Claims 1-12 

12. (Amended) A smart card comprising at least one control counter associated 
with at least one key [and/or one pair of keys for implementing a control method according 
to any one of the preceding claims] and a microprocessor which executes the functions of 
decrementing or incrementing the control counter by one unit at the start of a transaction 
comprising at least one authentication session by the card, and subsequently incrementing 
or decrementing, respectively, said control counter by said unit if the authentication by the 
card has succeeded. 
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A meX£i3id~^f---GQja^^ of a smar t card 

The present invention concerns a method for 
controlling a smart card. 

It applies more particularly to cards implementing 
cryptography algorithms using keys or pairs of keys in 
authentication sessions, during transactions between 
the card and a terminal. 

Terminal means both the terminal in which the card 
is inserted, such as for example a payment terminal at 
a shop, and a bank server to which this payment 
terminal can be connected during a so-called direct 
connection transaction, according to a transaction mode 
known as "online" in British and American literature. 
This is notably the case with bank cards (debit /credit 
cards), for transactions relating to an amount which 
exceeds a certain threshold and in which the terminal 
is automatically connected to the server for additional 
checks before accepting the transaction. 



Hereinafter, terminal means any external system to 
which the card is connected during a transaction. 

The invention applies notably, but not 
exclusively, to smart cards of the electronic purse 
type, which are disposable or rechargeable payment 
means . 

To prevent any fraud related to the use of smart 
cards, cryptographic algorithms are used, which use 
keys . 

In practice, for a certain number of transactions, 
one or more authentication sessions by the card or 
terminal are provided for, so as to ensure maximum 
security. Authentication session means all the 

operations aimed at having the card or terminal 
calculate a signature (or certificate) corresponding to 
the application of a cryptography algorithm to a data 
item which may be imposed by one or other or a mixture 
of data of the card and terminal, and to the comparison 
of the two signatures. If this comparison is made by 
the card, it is an authentication by the card, which 
receives the signature calculated by the terminal. If 
it is an authentication by the terminal, the opposite 
is the case. 

However, a new type of fraud has appeared which 
consists of deducing the value of the secret keys from 
statistical analyses based on measurements of current 
consumption in the card, during cryptographic 
calculation periods. This method of attack, known as 
DPA, standing for differential power analysis, is based 
on the fact that there are current consumption 



signatures from which, if at least the data item 
applied as an input or the data item applied as an 
output is known, it is possible, by making assumptions 
on the keys, to find the value or part of the value of 
a key which was used in the cryptographic calculation 
in question. 

To implement this fraud, it is therefore necessary 
to be able to initiate a cryptographic calculation with 
the same key a certain number of times, for example 300 
times. For this to be useable, it is necessary to know 
or to be able to impose or to be able to fix a 
cryptographic calculation parameter. 

If the example of smart cards of the electronic 
purse type implementing a secret key cryptographic 
algorithm is taken, the transactions between a card of 
this type and a terminal take place overall according 
to the following diagram, depicted in Figure 1: 

- in an initialisation phase, the card calculates 
a session key SKX from a secret key KDX contained in 
the card concerned and a session counter NTX of the 
card which is incremented irreversibly during the 
transaction . 

Then, according to the type of transaction, the 
card calculates a signature SI and/or a signature S2, 
by applying the cryptographic algorithm to a data item, 
in general imposed by the card, and with the session 
key SKX. 

For its part, the terminal calculates 
corresponding signatures, and, according to the type of 
transaction, either the terminal is authenticated by 



the card, or the card is authenticated by the terminal. 
There is therefore a transmission of data and 
associated signatures during authentication sessions. 

Take the case of an attempt at fraud based on a 
transaction of the loading type which normally serves 
for crediting the card of the electronic purse type 
with a certain sum. 

If a transaction of this type is initiated a 
certain number of times (300 times for example) and the 
card is removed from the terminal just after the 
initialisation phase, the session counter NTX of the 
card will not be incremented. If 300 transactions of 
this type are made, removing the card from the terminal 
in order to abort the transaction, the session key SKX 
will be the same for these 300 transactions. It is 
therefore possible to collect 300 current consumption 
measurements curves corresponding to the calculation of 
300 signatures on data which may be identical or 
variable according to the transaction, and with the 
same key. 

Statistical analysis, where the data to which the 
cryptographic calculation is applied, are variable, 
makes it possible to obtain the session key. 

According to the type of card, according to the 
transaction, it is possible in practice either to 
deduce the real secret keys contained in the card, or 
the session keys. 

Knowledge of a real secret key makes it possible 
on the one hand to manufacture false cards with this 
key; these cards will be seen as good by a terminal. 



This knowledge also makes it possible to perform 
transactions of the purchase cancellation type, for a 
card of the purse type, making it possible to recredit 
the card with a sum of money previously debited. 

Knowledge of a session key for its part makes it 
possible to replay a transaction, using a false card (a 
clone) or a simulator. 

The object of the invention is to prevent this 
type of fraud. 

However, this fraud requires two distinct types of 
operation : 

an operation of collecting measurements of 
current consumption, for which it is necessary to use 
the card for making the measurements at propitious 
moments, with real transactions with a terminal, but 
which are aborted by pulling-out the card or 
transactions with a simulator of the terminal, 
transactions which will fail through lack of 
authentication of the terminal by their card (wrong 
signatures) ; and 

a statistical analysis operation using 
simulation means (computers) , for finding the data 
sought, that is to say the keys. 

To see through the statistical analysis, it is 
necessary to effect a large number of measurements: 50, 
300, 5000. 

This means that in the card there will be a large 
number of authentication session failures by the card, 
failures due to aborted transactions, by pulling-out 
the card from the terminal or which have fallen through 



because of the supply by the terminal of wrong 
signatures . 

One object of the invention is thus to prevent the 
collection of current consumption measurements. 
5 However, it has been seen that, in the case where 

it is sought to make this connection, there will be a 
large number of authentication session failures by the 
card . 

One solution afforded to the technical problem of 
10 the invention consists of using in the card a control 
counter for counting down (or counting) these failures, 
and preventing the use of the card when a certain 
number of failures are counted. 

The invention therefore concerns a control method 
15 according to Claim 1. 

According to the invention, when a transaction 
between the card and a terminal which uses at least one 
authentication session by the card is initiated, the 
control counter is decremented by one unit. It is 
20 reincremented with this unit only if the authentication 
has succeeded. Or the control counter is incremented 
by one unit and is then decremented by this unit only 
if the authentication session has succeeded. 

Preferably use is made of a control counter by key 
25 and/or by a pair of encrypting keys used in the card. 

The control counter according to the invention can 
count down from or count up to a blocking value N 
representing the number of failures allowed. 

This blocking value N depends on the type of 
30 transaction in which the associated key or pair of keys 
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is used. This value corresponds to a permitted number 
of times of transactions failed or aborted. In 
particular it takes account of the security level to be 
associated with the transaction, that is to say the 
5 risk incurred by a fraud on this key or pair of keys. 

For example, where it is a question, with a card 
of the electronic purse type, of a transaction for 
updating parameters of the card, where these parameters 
can be the expiry date, the very values of the keys, a 

10 maximum sum for a transaction etc, a fairly low value N 
is provided for, since a very high degree of security 
must be associated with such a transaction and few 
errors in use can occur for this type of transaction. 
Where it is a case of purchase operations or 

15 cancellation of purchases, for which a certain number 
of incidents during the "normal" use of the card may 
occur, due notably to errors in use by the holder, a 
higher value is provided for. 

For a given key or a given pair of keys, when the 

20 counter has reached its limit value, zero by 
decrementation or N by incrementation, the use of the 
key or of the pair of keys is blocked: no transaction 
using this key or pair of keys can any longer be 
effected. Preferably provision is made for this 

25 blocking to be irreversible. Provision can however be 
made for reinitialising the counter in the case where a 
blocking results indisputably from a non-intentional 
error by the user. Provision can also be made for 
being able to modify the blocking value N, if it proves 

30 in practice to be too low or too high. Such 



reinitialisation or modification can be effected only 
according to a very secure procedure by an authorised 
third party (the bank) . 

In addition, in certain transactions, several 
5 cryptographic calculations are made, with the same key 
or the same pair of keys, up to and including the one 
consisting of the authentication session by the card. 
Provision is then made to decrement or increment the 
counter either by a new unit before each calculation or 

10 by a unit representing the number of calculations made. 

If the authentication session has succeeded, the 
counter is reincremented, or decremented, either by the 
sum of the units decremented, or incremented, by means 
of a pointing counter, or the representative unit, 

15 according to the chosen implementation mode of the 
control method according to the invention. 

Other characteristics and advantages of the 
invention are described in the following description, 
given by way of indication and in no way limitatively, 

2 0 and with reference to the accompanying drawings, in 
which : 

- Figure 1, already described, depicts a specimen 
diagram of cryptographic calculations made during a 
transaction between a card of the electronic purse type 

25 using a secret key cryptography algorithm and a 
terminal; 

- Figure 2 is a general diagram of the resources 
of a card of this type, comprising control counters 
according to the invention; and 
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- Figures 3 to 5 are flow diagrams of typical 
transactions in an electronic purse application using 
the use control method according to the invention. 

The general principle of the invention is to use 
5 at least one control counter which will be decremented 
or incremented by one unit at the start of a 
transaction between a terminal and a card, and which 
will be reincremented or decremented only after an 
authentication session by the card, if this session has 

10 succeeded. 

Hereinafter only the case is taken where the 
counter is decremented systematically at the start of 
each transaction and reincremented subject to 
conditions. The converse case can easily be transposed 

15 to, where the counter is systematically incremented at 
the start of the transaction, and decremented subject 
to conditions. 

The counter is initialised to a blocking value N, 
representing the number of permitted failures, which is 

20 notably a function of the application. If many 

transactions are started without allowing a successful 
authentication by the card, either because the 
transaction has been interrupted (the case of pull 
out) , or because the data sent to the card to allow 

25 authentication by the card are false (the case of a 
simulator used in place of a true terminal) , the 
counter which is decremented at each new transaction 
but which is not reincremented in all cases of failure 
in authentication by the card, finishes by reaching 

30 zero. Use of this card is then blocked. 
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An example of implementation of the invention will 
now be explained for a card of the electronic purse 
type using a cryptography algorithm whose encrypting 
key is a secret key. The invention is not limited 
5 either to this type of card or to this type of 
algorithm. It applies to any card effecting, for at 
least one transaction, an authentication session. The 
authentication session can use a secret key algorithm 
such as the DES algorithm, or an algorithm of the RSA 

10 type using a pair of encrypting keys (private key, 
public key) . Some cards implement even these two 
algorithms in order to use one or other according to 
the transaction to be carried out. The control method 
according to the invention applies to all these 

15 different cards and applications. 

Figure 2 depicts schematically the resources of a 
smart card of the electronic purse type, to which the 
control method of the invention can be applied. 

It comprises principally a microprocessor uP, and 

20 memory resources including a read only memory ROM, 
containing in practice the program code, a dynamic 
memory RAM as a working memory and a non-volatile 
memory of the EE PROM type for example, which contains 
in practice sensitive parameters (in the security 

25 sense) of the card, including counters. In the 

example, this memory contains notably three secret keys 
denoted KDP, KDL and KDU, three associated session 
counters, denoted NTP, NTL and NTU, and three 
associated control counters according to the invention, 

30 denoted C KDP , C KDL , C K du- 



This memory contains other parameters. Some can 
be updated by an external system, by means of an 
updating transaction, according to a secure procedure. 

It should be stated that, in an electronic purse 
5 card, three types of transaction are possible and to 
each type of transaction there corresponds an 
associated secret key. There are thus the following 
types of transaction: 

Purchase or purchase cancellation with the 
10 associated secret key, denoted KDP; 

- Load or unload with the associated secret key, 
denoted KDL, and 

- Update with the associated secret key, denoted 

KDU. 

15 In the invention, provision is then made for using 

a control counter by different secret key. There is 
thus the counter C K dp associated with the secret key 
KDP, the counter C KDL associated with the secret key KDL 
and the counter 

Ckdu associated with the secret key KDU. 

2 0 The example of an operating flow diagram for such 

a card depicted in Figure 3 concerns a transaction of 
the purchase type, for which the card therefore uses 
the secret key KDP, the associated session counter NTP 
and the associated control counter according to the 

25 invention, C K dp- 

A purchase transaction comprises a first 
initialisation phase, which is normally limited by to 
the sending of a command by the terminal to the card, 
to specify the type of transaction to it. This command 



is normally labelled as follows, in British and 
American literature: INIT FOR PURCHASE. 

The microprocessor then switches to the address of 
the program code corresponding to this type of 
5 transaction. 

In the invention, provision is made in this 
initialisation phase to decrement the control counter 
concerned, C K dp, by one unit. The card therefore 
executes the following instruction: C KD p = C KD p - u. 

10 It then tests whether the control counter has 

reached its limit value, zero in the example. If it 
has reached its limit value (C KD p^0) , the card cannot 
carry on with the transaction, which will therefore 
terminate through lack of response from the card. 

15 If the limit is not reached the card goes to a 

processing phase, in which it notably carries out the 
following operations: 

- it calculates the session key SK P , applying the 
cryptography algorithm to the value of the session 

20 counter NTP and using the secret key KDP, 

- it sends a data item to the terminal so that it 
calculates a corresponding signature S2 T , 

it receives and returns the signature S2 T 
calculated by the terminal, 
25 - it calculates a signature S2, applying the 

cryptography algorithm to the variable data item sent 
to the terminal, with the session key SK P . 

The card then compares the two signatures. If 
they are comparable, the authentication has succeeded, 
30 and the control counter according to the invention is 
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then reincremented by the value u. Otherwise it is 
unchanged. The transaction can then continue. 

It can be seen that, if too many transactions of 
the purchase type result in a failure in authentication 
5 by the card, the control counter according to the 
invention will make it possible to block any use of the 
card for a transaction of the purchase type. 

In fact it blocks any use of the card for 
transactions of the same type, using the same secret 

10 key. Thus, in the case of the counter Ckdp? it is the 
purchase or purchase cancellation transactions which 
will be blocked. 

Figure 4 shows an operating flow diagram for the 
card for the transaction of the purchase cancellation 

15 type, which therefore uses the same secret key KDP. 

In this transaction, the initialisation phase 
initiated by an initialisation command for the terminal 
(command "init for purchase cancellation" according to 
British and American literature) , comprises, in 

2 0 addition to the decrementation by one unit u of the 
control counter C KDP according to the invention, the 
calculation of the session key SK P and a signature SI 
obtained by applying a cryptography algorithm to a data 
item, using the session key. At the end of this 

25 calculation, the card transmits this data item and the 
signature SI to the terminal, to enable the terminal to 
authenticate the card. This authentication by the 
terminal is not the subject of any response from the 
terminal . 
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The card passes to the processing phase in which 
in its turn it authenticates the terminal, as before. 
In this type of transaction, the signature S2 is in 
general calculated on zero. The card therefore 

5 calculates the corresponding signature S2 with the 
session key KDP . It receives the signature S2 T 

calculated by the terminal and makes a comparison of 
the two signatures. If they are comparable, the 
authentication session has succeeded. The control 

10 counter according to the invention is reincremented by 
the unit u. Otherwise the control counter is 

unchanged. The transaction continues. 

In the case of this transaction, it can be seen 
that the card makes two cryptographic calculations up 

15 to and including that of the authentication session by 
the card, the calculation of the signature SI and the 
calculation of the signature S2. For this transaction, 
provision is then preferably made for decrementing the 
control counter by a value corresponding to the number 

20 of cryptographic calculations made up to and including 
the one for the authentication session by the card. 

This decrementation can take place on a single 
occasion, by a unit u representing this number of 
calculations performed for this transaction. The value 

25 taken by u for this transaction can be initialised in 
the initialisation phase, following the command of the 
"INIT FOR" type. This decrementation on several 
occasions, by decrementing the counter by one unit 
before each calculation, in the example, before the 

30 calculation of the signature SI and before the 
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calculation of the signature S2. In this case, 

provision will be made for testing the limit value on 
the counter after each decrementation. 

In this case also, there is also provided a 
5 pointing counter associated with the control counter, 
denoted D KD p in Figure 2, initialised to zero at the 
start of the transaction, and which is for example 
incremented each time the control counter is 
decremented. Thus, if the authentication by the card 

10 has succeeded, the control counter is reincremented by 
the number contained in the pointing counter. 

It should be noted that an expert will use one or 
other of the different possibilities of implementation 
according to the specificities of the application 

15 involved. Notably it is possible to use one 

implementation for one type of transaction and another 
for another type of transaction according to the degree 
of security required. 

Figure 5 depicts an operating flow diagram for 

20 another type of transaction, the one of updating. It 
is relatively similar to the previous ones, but the 
authentication by the card takes place here on the 
signature denoted SI. 

This is because, in general terms, the control 

25 counter is decremented at the start of the transaction. 

It is reincremented, if it can be, only after an 
authentication session by the card. 

It should be noted that the flow diagrams in 
Figures 3 to 5 show only some of the operations 

30 performed during the transaction, for an explanation of 
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the method according to the invention. In practice, 
other operations are executed. Notably, according to 
the transactions, use is made, for calculating the 
signatures, of the current session key or the previous 
5 session key. After calculating the session key, the 
session counter must be incremented. All these aspects 
are specific to the application strictly speaking and 
have no interest with regard to the implementation of 
the control method according to the invention. 

10 The different control counters must be initialised 

to a well chosen blocking value N. This value must 
take account of the associated type of transaction, the 
corresponding security level to be implemented but also 
possible errors during "normal" use by the card holder: 

15 it is not a question of blocking use of the card when 
the holder has not attempted to commit a fraud. 

In one example for purely illustrative purposes, 
but which shows the different aspects which must taken 
into account, it is possible to initialise the control 

20 counter C K dp associated with the purchase/purchase 
cancellation transactions at 100, the control counter 
C K dl associated with the load/unload transactions at 20, 
and the control counter C KD u associated with the update 
transactions at 10. 

2 5 It was explained above that a variant of the 

control method according to the invention consists of 
incrementing the counter at each session and 
decrementing it only subject to conditions 
(authentication by the card successful) . In this case, 

30 the counter is initialised to zero, and the limit 



value, with which the content of the counter is 
compared, is equal to the blocking value N. Everything 
described above applies to this variant of the 
invention . 

5 The invention has just been explained in an 

example of application to an electronic purse card. 
However, it is clear from this description that the 
control method according to the invention applies to 
any type of smart card provided that it performs an 

10 authentication session. This authentication session 
can be based on a secret key cryptography algorithm, 
for example of the DES type, as explained in the case 
of the electronic purse card, but also algorithms of 
other types, such as the algorithms of the RSA type 

15 using a pair of keys (private key, public key) for 
example. In addition, in the invention, smart card 
means both the cards to a well-known format and 
portable carriers . 
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CLAIMS 

1. A method of controlling the use of a smart 
card comprising a microprocessor able to effect 
cryptography calculations in the card for effecting 

5 authentication sessions at the time of a transaction 
between the card and a terminal, characterised in that 
the said method uses at least one control counter (C KD p) 
and in that, for a transaction comprising at least one 
authentication session by the card, the method consists 
10 of: 

- decrementing or incrementing the control counter 
by one unit (u) at the start of the transaction, and 

- if the authentication by the card has succeeded, 
effecting the reincrementation or decrementation of the 

15 said control counter by the said unit (u) . 

2. A method according to Claim 2, characterised 
in that the control counter can count down from or 
count up to a blocking value. 

3. A method according to Claim 2, characterised 
20 in that it comprises the use of a control counter by an 

encrypting key and/or by a pair of encrypting keys 
contained in the card. 

4. A method according to Claim 3, characterised 
in that the blocking value associated with a counter is 

25 a function of the type of transaction in which the 
associated key or the associated pair of keys is used. 

5. A method according to Claim 3, characterised 
in that the decrementation or incrementation unit of a 
control counter represents the number of cryptographic 
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calculations with the associated key or the associated 
pair of keys, performed up till then and including the 
one consisting of the said authentication session 
during the said transaction. 
5 6. A method according to Claim 3, characterised 

in that the control counter associated with a key or a 
pair of keys is decremented or incremented by a new 
unit before each of the cryptographic calculations 
using the said key or the said pair of keys up to and 
10 including the one relating to the said authentication 
session by the card. 

7. A method according to Claim 5, characterised 
in that the reincrementation or decrementation of the 
counter by the unit representing the number of 

15 cryptographic calculations is effected if the 
authentication session by the card has succeeded. 

8. A method according to Claim 6, characterised 
in that it comprises a pointing counter (D K dp) for 
storing the number of decrementations or 

20 incrementations by one unit carried out, to permit the 
reincrementation or decrementation of the control 
counter (C KD p) via the content of the pointing counter, 
if the authentication session by the card has 
succeeded . 

25 9. A control method according to any one of the 

preceding claims, characterised in that the said 
authentication session by the card is effected at the 
time of a connection by direct link to a server. 

10. A method according to any one of the 

30 preceding claims, characterised in that, when the 
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control counter is decremented, or incremented, up to a 
limit value, it blocks the use of the associated key or 
associated pair of keys. 

11. A method according to Claim 10, characterised 
5 in that the blocking of the use of the key or pair of 

keys is irreversible. 

12. A smart card comprising at least one control 
counter associated with at least one key and/or one 
pair of keys for implementing a control method 

10 according to any one of the preceding claims. 
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